Yesterday the alarm went out: there was a glaringly-huge security hole in some open source Java code, code used by most server farms and a lot of online games. The trouble was in Log4j, a Java logging component created by Apache. 

The point of Open Source was that anyone could grab the code and check for flaws just like this. But no one did, evidently, because this security hole goes back almost ten years!

Because it's available, will anyone look at it? Probably, but it's not always the white hats who do. This hole has probably been exploited since the code was written, but those exploiting it were smart enough not to tell anyone it was there.

Proprietary code is more difficult to inspect, but that's a bonus when there are security holes in it; the black hats have a much harder time finding the holes.

So after an hour last night, and 30 minutes this morning, I've updated and patch all instances of Log4j in my little server farm. I wish the big companies luck in doing the same.